CVE-2025-11855 is a critical improper privilege management vulnerability (CWE-269) found in the WordPress age-restriction plugin versions up to 3.0.2. The vulnerability resides in the age_restrictionRemoteSupportRequest function, which lacks proper authorization checks. This flaw allows any authenticated user, including those with minimal privileges such as subscribers, to execute this function and create an administrative user account with a hardcoded username and an attacker-chosen password. The absence of authorization means that the plugin does not verify whether the user has sufficient rights before allowing this operation. Consequently, an attacker who can authenticate to the WordPress site can escalate their privileges to full administrator rights without exploiting any other vulnerabilities or requiring user interaction. This leads to a complete compromise of the WordPress environment, including the ability to modify content, install malicious plugins, exfiltrate data, and pivot to other systems. Although no public exploits have been reported yet, the vulnerability is straightforward to exploit given the low privilege requirement and the direct creation of an admin user. The vulnerability was reserved on October 16, 2025, and published on November 11, 2025, but no patch links are currently available, indicating that users must be vigilant and consider manual mitigations. The affected plugin is widely used in WordPress sites that enforce age restrictions, commonly found in European markets with strict content regulations. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

For European organizations, this vulnerability poses a significant risk due to the widespread use of WordPress and its plugins in business websites, e-commerce platforms, and content management systems. Successful exploitation results in full administrative control over the affected WordPress site, enabling attackers to alter or delete content, steal sensitive user data, deploy malware, or use the compromised site as a foothold for further attacks within the corporate network. Given Europe's stringent data protection regulations such as GDPR, a breach resulting from this vulnerability could lead to severe legal and financial consequences. Organizations relying on the age-restriction plugin to comply with legal age verification requirements may face operational disruptions and reputational damage if attackers exploit this flaw. Additionally, attackers could leverage the compromised admin account to bypass other security controls, escalate privileges on connected systems, or launch phishing campaigns targeting European users. The vulnerability's ease of exploitation and the critical level of access gained make it a high-priority threat for European entities, especially those in sectors like media, e-commerce, education, and regulated industries where WordPress is prevalent.

Until an official patch is released, European organizations should immediately audit their WordPress installations for the presence of the age-restriction plugin and verify the version. If the plugin is in use, restrict access to authenticated users by limiting subscriber accounts or disabling unnecessary user registrations. Implement web application firewall (WAF) rules to detect and block requests invoking the age_restrictionRemoteSupportRequest function or related suspicious activity. Conduct manual code reviews to add authorization checks to the vulnerable function, ensuring only users with administrative privileges can execute it. Monitor WordPress logs for unusual account creation or privilege escalation attempts. Consider temporarily disabling or uninstalling the plugin if feasible. Organizations should also enforce strong authentication mechanisms, including multi-factor authentication (MFA) for all WordPress admin accounts, to reduce the risk of compromised credentials. Regular backups and incident response plans should be updated to quickly recover from potential compromises. Finally, stay informed through official WordPress security channels for patch releases and apply updates promptly.